davidread
commented
3 years ago My notes on the outcome:
tfsec comes as a binary. Reviewdog provides a GitHub Action. It comments on PRs and optionally be a failed PR check. @jasonBirchall Installed it on cloud-platform-infrastructure. tfsec.yml is for the configuration - e.g. check just what changed or the whole repo. We have 27 warnings and failures:
- It's quite opinionated e.g. every S3 bucket should have logging
- We would want to fix some of these
Maybe would be more useful on the environments repo, since service teams are writing TF now and we review that. Currently there's no way to override - would just get ignored / alert blindness Better to review the errors it has flagged, than installed for all PRs. Maybe we can learn from these best practices it opines.
tfsec uses static analysis of your terraform templates to spot potential security issues.
We could trigger this tool on a PR to main, if it fails the code is not merged.
https://github.com/tfsec/tfsec